Skip to main content

Simple Shopping Cart CVE-2026-48868

| EUVDEUVD-2026-36847 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-15 Patchstack GHSA-48rr-4889-hv7w
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network IDOR with no user interaction reads other users' plugin data; confidentiality high, no integrity or availability impact, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:49 vuln.today

DescriptionCVE.org

Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.

AnalysisAI

Unauthorized data access in the WordPress Simple Shopping Cart plugin (versions <= 5.2.9) allows remote unauthenticated attackers to retrieve sensitive information belonging to other users through an Insecure Direct Object Reference (IDOR) flaw. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), exploitation is network-reachable with low complexity and no authentication. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The affected component is the Simple Shopping Cart plugin (also tracked as 'WordPress Simple PayPal Shopping Cart') developed by mra13 / Tips and Tricks HQ, a WordPress e-commerce extension that adds cart, checkout, and order management features to WordPress sites. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), in which the application exposes object identifiers (such as order, cart, or customer record IDs) in client-supplied parameters without validating that the requesting principal is authorized to access the referenced object. CPE cpe:2.3:a:mra13_/_team_tips_and_tricks_hq:simple_shopping_cart:*:*:*:*:*:*:*:* confirms the affected application is the WordPress plugin family rather than a separately distributed product.

RemediationAI

Patch available per vendor advisory - upgrade the Simple Shopping Cart (WordPress Simple PayPal Shopping Cart) plugin to a version newer than 5.2.9 as published by Tips and Tricks HQ, consulting the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wordpress-simple-paypal-shopping-cart/vulnerability/wordpress-simple-shopping-cart-plugin-5-2-9-insecure-direct-object-references-idor-vulnerability for the exact fixed release number, which is not enumerated in the input data. If immediate patching is not possible, deactivate and delete the plugin (side effect: cart and checkout functionality will be unavailable) or place the WordPress site behind a WAF and add rules that block direct access to cart, order, or customer endpoints with numeric IDs that do not match the requesting session (side effect: may break legitimate share-cart or guest-checkout flows), and monitor web access logs for sequential or enumerated ID requests against the plugin's endpoints.

Share

CVE-2026-48868 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy